SANS Digital Forensics and Incident Response Blog: Author - Paul Yacovetta

Benefits of using multiple timestamps during timeline analysis in digital forensics

Timeline analysis is a highly valuable tool. However, like everything else in computer forensics, it requires a skilled investigator to examine all the data available in order to find the evidence and provide an accurate account of the events. When analyzing Windows systems, it is common to use key timestamps in forensics such as Creation Date, Last Modified Date, Last Accessed Date, and the Last Modified Date for the file's Master File Table (MFT) entry. A key factor in using these timestamps is to not rely solely on a single timestamp, but use the combination of these timestamps in digital forensics. The combination of these timestamps can prove to be far more powerful and revealing than any single timestamp on its own. I will use an example to illustrate.

A forensic investigator was reviewing volatile evidence collected during an investigation into

...


Client-side Web Application Attacks

Over the past few years, attacks against web applications have become more prevalent and sophisticated. There are several methods of attacking web applications, SQL injection being one of the more well-known. In this article, we are going to discuss a different class of attacks and a few examples of how an incident responder or computer forensic investigator might spot them.

All web forms contain fields that are used to grab input from a user and post it to the server for processing. Form fields are commonly used to collect information, from transaction details on e commerce sites to authentication credentials for restricted content. While form fields are used to collect data legitimately from users, they can also be used maliciously.

An example of this is a client side attack commonly known as form field injection. In this type of attack, malware interacting in a web browser adds additional form fields to

...